@lateos/npm-scan 0.15.4 → 0.15.5

package/README.md

@@ -3,7 +3,7 @@
 [![npm version](https://img.shields.io/npm/v/@lateos/npm-scan?style=flat-square)](https://www.npmjs.com/package/@lateos/npm-scan)
 [![License](https://img.shields.io/badge/license-Apache%202.0%20%2B%20Commons%20Clause-blue?style=flat-square)](LICENSING.md)
 [![Node](https://img.shields.io/badge/node-%3E%3D18-brightgreen?style=flat-square)](package.json)
-[![Tests](https://img.shields.io/badge/tests-384%20passing-brightgreen?style=flat-square)](https://github.com/lateos-ai/npm-scan)
+[![Tests](https://img.shields.io/badge/tests-428%20passing-brightgreen?style=flat-square)](https://github.com/lateos-ai/npm-scan)
 [![Coverage](https://img.shields.io/badge/coverage-90%25-brightgreen?style=flat-square)](https://github.com/lateos-ai/npm-scan)
 [![Docker](https://img.shields.io/badge/docker-lateos%2Fnpm--scan-2496ED?style=flat-square&logo=docker)](https://hub.docker.com/r/lateos/npm-scan)
 [![Sigstore](https://img.shields.io/static/v1?label=Sigstore&message=Provenance&color=green&style=flat-square&logo=sigstore)](https://github.com/lateos-ai/npm-scan/actions/workflows/publish.yml)
@@ -47,7 +47,9 @@ The **Megalodon campaign** (2026) alone compromised 5,500+ repositories via fake
 | Sandbox evasion detection (ATK-010) | ❌ | ❌ | ❌ | ✅ |
 | Transitive worm propagation (ATK-011) | ❌ | ❌ | ❌ | ✅ |
 | Campaign detection (Megalodon CI/CD) | ❌ | ❌ | ❌ | ✅ |
+| Worm campaign detection (Mini Shai-Hulud Wave 1–3) | ❌ | ❌ | ❌ | ✅ |
 | HF model repo impersonation + README clone | ❌ | ❌ | ❌ | ✅ |
+| VS Code extension supply chain scan (--vsix) | ❌ | ❌ | ❌ | ✅ |
 | Attack taxonomy (ATK series) | ❌ | ❌ | ❌ | ✅ |
 | SBOM output (CycloneDX + SPDX) | ❌ | ✅ | ❌ | ✅ |
 | SARIF v2.1 (GitHub Code Scanning) | ❌ | ❌ | ❌ | ✅ |
@@ -68,6 +70,8 @@ The **Megalodon campaign** (2026) alone compromised 5,500+ repositories via fake
 | 🕵️ | **Heuristic static analysis** | AST-level inspection catches obfuscation, eval chains, env probing, and suspicious lifecycle scripts that regex-based tools miss |
 | 🧠 | **Behavioral detection** | Identifies conditional triggers (time-based, CI-aware), sandbox evasion, and dormant activation patterns |
 | 🧬 | **ATK attack taxonomy** | 11 classified attack types with NIST 800-161 mappings — versioned, documented, and PR-able |
+| 🪱 | **Worm campaign detection** | Mini Shai-Hulud — 6 sub-checks detecting burst publish, sibling compromise, SLSA attestation mismatch, publisher drift, IOC match, and token exfil across 3 waves (TanStack, AntV/atool, Nx Console) |
+| 🧩 | **VSIX extension scanning** | `npm-scan scan --vsix nrwl.angular-console` — detects VS Code Marketplace supply chain attacks: burst publish, publisher anomaly, activation event risk, orphan commit fetch, known IOC, and exfil patterns (Nx Console 18.95.0 CVE-2026-48027) |
 | 📦 | **SBOM generation** | CycloneDX 1.5 and SPDX 2.3 with findings embedded as vulnerabilities |
 | 🔍 | **SARIF output** | GitHub Advanced Security / CodeQL compatible SARIF v2.1 — shows findings directly in Security tab |
 | 🧾 | **Compliance reporting** | NIST SP 800-161 traceability matrix + EU Cyber Resilience Act mapping (free tier) |
@@ -193,41 +197,28 @@ npm-scan scan some-package --policy .npm-scan.yml
 
 # Scan a local tarball (no registry fetch needed)
 npm-scan scan --file path/to/malicious-package.tgz
+
+# Scan a VS Code extension for Marketplace supply chain attacks
+npm-scan scan --vsix nrwl.angular-console
+
+# Scan a package AND a VSIX extension together (findings merge)
+npm-scan scan lodash --vsix nrwl.angular-console
 ```
 
 ### Scan a lockfile
 
 ```bash
-# Scan the current project's dependencies (auto-detects npm/yarn/pnpm)
-npm-scan scan-lockfile
-
-# Scan a specific lockfile
-npm-scan scan-lockfile -f ./path/to/package-lock.json
-
-# Scan yarn.lock or pnpm-lock.yaml
-npm-scan scan-lockfile -f ./yarn.lock --yarn
-npm-scan scan-lockfile -f ./pnpm-lock.yaml --pnpm
-
-# Fail CI/CD on high or critical findings (exit code 1)
-npm-scan scan-lockfile --fail-on high
-
-# Fail on any findings (low and above)
-npm-scan scan-lockfile --fail-on low
-
-# Generate SARIF v2.1 output for GitHub Advanced Security / VS Code
-npm-scan scan-lockfile --sarif results.sarif
-
-# Watch for changes and auto-rescan (single lockfile)
-npm-scan scan-lockfile --watch
+# Scan a single package
+npm-scan scan lodash
 
-# Watch with faster debounce (500ms) — great for dev workflows
-npm-scan scan-lockfile --watch --debounce 500
+# Scan your lockfile
+npm-scan scan-lockfile
 
-# Watch monorepo (all lockfiles — npm/yarn/pnpm — in workspace)
-npm-scan scan-lockfile --watch --monorepo
+# Scan a VS Code extension for supply chain threats
+npm-scan scan --vsix nrwl.angular-console
 
-# Output only risk score (0-10) for dashboards/thresholds
-npm-scan scan-lockfile --score-only
+# View latest scans
+npm-scan report
 ```
 
 ### Generate reports
@@ -288,10 +279,14 @@ npm-scan report --pdf             # all scans (premium)
 | **ATK-011** | Transitive propagation (worm-style lateral spread) | Behavioral | 🔴 high | SR-11.4 |
 | **MEGALODON** | Megalodon CI/CD campaign — workflow C2 exfil, credential harvest, publish velocity spike, publisher drift | Static + Registry | ⚫ critical | SR-3.1, SR-7.5 |
 | **HF_IMPERSONATION** | HuggingFace org spoof detection — Jaro-Winkler similarity against 15 known-good orgs, SimHash README clone detection, artifact mismatch (`.exe`/`.dll` in model repos), postinstall escalation, new-org amplifier | Static + Network (Stage 2) | 🔴 high / ⚫ critical | SR-2.1 |
+| **MINI_SHAI_HULUD** | Mini Shai-Hulud worm campaign — burst publish velocity (≥3 versions/30 min), co-temporal sibling compromise, SLSA attestation mismatch (sub-60s gap, first-ever, builder mismatch), publisher drift (<10 min account change), IOC match (scope/sha512/publisher from seed file), token exfil (NPM_TOKEN/.npmrc/atob patterns), Nx Console downstream detection | Static + Registry | 🔴 high / ⚫ critical | SR-3.1, SR-7.5 |
+| **VSIX_SCAN** | VS Code extension supply chain scan — burst publish (≥2 versions/30 min, hot-pull <20 min), publisher anomaly (account substitution, new-account on high-install ext, 15-min add+publish), activation event risk (onStartupFinished→HIGH, *→CRITICAL, escalation on shell keywords), orphan commit fetch (GitHub API SHA refs, npx git URL, MCP-disguised exfil, Bun install), known IOC (extensionId/publisherAccount/commit hash from seed), exfil patterns (cred paths, DNS tunneling, AES+RSA, anti-analysis, Bun APIs) | Static + Registry | 🟠 medium / 🔴 high / ⚫ critical | SR-3.1, SR-5.3 |
 
 > **How evasive attacks are caught:** ATK-009 detects packages that check `process.env.CI`, probe hostnames, or use time-based activation. ATK-010 flags `debugger` statements, `os.hostname()` probes, and env fingerprinting. ATK-011 traces peer dependency graphs to detect worm-like propagation patterns.  
 > **MEGALODON** campaign detection analyzes bundled `.github/workflows/` files for C2 co-occurrence and base64 decode chains, scans tarball files for credential + outbound network patterns, detects version publish velocity spikes via npm registry metadata, and identifies publisher account drift — all without any network calls beyond the initial package fetch.  
 > **HF_IMPERSONATION** detection uses a lazy two-stage evaluation: Stage 1 scans `package.json` scripts and JS/TS sources for HuggingFace references (URLs, `from_pretrained()`, `hub.download()`) and runs Jaro-Winkler similarity against 15 known-good HF orgs — zero network. If spoofs are found, Stage 2 fetches the HF model API, computes SimHash of both READMEs for clone detection, validates artifact type consistency (e.g., `transformers` library with `.exe` files is flagged as critical), applies a new-org amplifier (<30 days), and escalates when the reference appears in a lifecycle script.  
+> **MINI_SHAI_HULUD** worm campaign detection uses a lazy two-stage evaluation: Stage 1 runs burst velocity, publisher drift, IOC, and token exfil checks (in-memory, no network). If burst triggers, Stage 2 queries npm attestation endpoints for SLSA anomalies and fetches sibling package registry metadata for co-temporal burst detection. Composite finding includes wave attribution (wave1-tanstack, wave2-antv, wave3-nx-console) and critical severity when SLSA or IOC match. NX_CONSOLE_DOWNSTREAM (D7) flags npm packages with `@nx/*` dependencies and checks for `nrwl.angular-console` in `.vscode/extensions.json`.  
+> **VSIX_SCAN** extension scanning wraps both VS Code Marketplace and Open VSX registries with rate-limited (10 req/min), cached (5 min TTL) API clients. All 6 detectors run asynchronously and aggregate into a single composite `VSIX_SCAN` finding. Zero extension code is executed — all analysis is static regex/text-pattern matching. No Bun installation required for Bun pattern detection.  
 > See [`docs/attack-taxonomy.md`](docs/attack-taxonomy.md) for full evasion surface documentation and PoC examples.
 
 ---
@@ -367,6 +362,18 @@ npm-scan scan target --policy .npm-scan.yml
 | `NPM_SCAN_LICENSE_KEY` | Premium / enterprise license key | — |
 | `NPM_SCAN_DATA_DIR` | Scan history directory | `./.npm-scan` |
 | `NPM_SCAN_LOG_LEVEL` | Log verbosity | `info` |
+| `NPM_SCAN_LICENSE_SECRET` | HMAC key for license generation/validation | `npm-scan-default-dev-key` |
+
+### IOC configuration
+
+Campaign detectors use seed IOC files for known-malicious fingerprints:
+
+| IOC File | Detector | Types |
+|----------|----------|-------|
+| `backend/detectors/mini-shai-hulud/iocs.json` | Mini Shai-Hulud (Waves 1–3) | `packageScope`, `publisherAccount`, `sha512`, `extensionId` |
+| `backend/vsix-scan/vsix-iocs.json` | VSIX extension scan | `extensionId`, `publisherAccount`, `orphanCommitHash` |
+
+IOC files follow a unified schema (`iocs: [{ type, value, ... }]`) and are loaded at module init. Update them from your threat intel feed to extend detection coverage without code changes.
 
 ### Premium licensing
 
@@ -638,7 +645,7 @@ See the [Docker quick-start section](#-run-lateosnpm-scan-anywhere-with-docker--
 
 ### Free tier (shipped)
 
-- All 11 ATK detectors + **MEGALODON** CI/CD campaign detection (D1–D6) + **HF_IMPERSONATION** detector
+- All 11 ATK detectors + **MEGALODON** CI/CD campaign detection (D1–D6) + **HF_IMPERSONATION** detector + **MINI_SHAI_HULUD** worm campaign (D1–D7, 3 waves) + **VSIX_SCAN** extension supply chain scan (6 detectors)
 - SBOM output (CycloneDX + SPDX)
 - HTML, text, and compliance reports (NIST + EU CRA)
 - Policy-as-code engine (YAML)
@@ -647,6 +654,7 @@ See the [Docker quick-start section](#-run-lateosnpm-scan-anywhere-with-docker--
 - Pre-commit hook (husky + lint-staged)
 - Docker images + Compose pipeline
 - Watch mode (--watch / --monorepo for auto-rescan)
+- VS Code extension scanning (--vsix flag with Marketplace + Open VSX registries)
 
 ### Premium (🔐 license key)
 
@@ -708,6 +716,14 @@ node --test test/detectors-corpus.test.js
 - `test/report.test.js` — SARIF, CSV, STIG, risk score format tests
 - `test/lockfile.test.js` — npm/yarn/pnpm parser, auto-detect, ATK-007/011 lockfile tests
 - `test/hf-impersonation.test.js` — 13 HF impersonation detection tests (no-ref, exact match, spoof, README clone, artifact mismatch, postinstall escalation, new-org tag)
+- `test/mini-shai-hulud.test.js` — 22 Mini Shai-Hulud worm campaign detection tests (burst, sibling, SLSA, maintainer, IOC, exfil, wave attribution)
+- `test/vsix-scan/burst-publish.test.js` — 4 VSIX burst publish tests (threshold, sub-threshold, hot-pull, Open VSX window)
+- `test/vsix-scan/publisher-anomaly.test.js` — 5 publisher anomaly tests (cross-namespace, new-account, add+publish, substitution, silent)
+- `test/vsix-scan/activation-event-risk.test.js` — 5 activation event risk tests (onStartupFinished, wildcard, escalation, first-time, silent)
+- `test/vsix-scan/orphan-commit-fetch.test.js` — 5 orphan commit tests (GitHub SHA, npx git, MCP exfil, Bun install, silent)
+- `test/vsix-scan/known-ioc.test.js` — 4 known IOC tests (extensionId, publisher window, outside window)
+- `test/vsix-scan/exfil-pattern.test.js` — 5 exfil pattern tests (creds, DNS tunnel, AES+RSA, anti-analysis, silent)
+- `test/vsix-scan/integration.test.js` — 4 integration tests (Nx Console CRITICAL, safe version clean, orphan commit, skipNetwork)
 - `test/cli.test.js` — commander integration tests (help, version, scan, report, error handling)
 - `test/cli-lockfile.test.js` — scan-lockfile CLI options, yarn/pnpm/monorepo/watch tests
 

package/backend/detectors/mini-shai-hulud/d5-ioc-check.js

@@ -43,7 +43,7 @@ export async function checkIOC(pkgName, pkgVersion, sha512, publisherAccount, ti
 
   for (const waveKey of Object.keys(data.waves || {})) {
     const wave = data.waves[waveKey];
-    const waveNum = waveKey === 'wave1' ? 1 : 2;
+    const waveNum = waveKey === 'wave1' ? 1 : waveKey === 'wave2' ? 2 : 3;
     for (const ioc of (wave.iocs || [])) {
       allIOCs.push({ ...ioc, wave: waveNum });
     }

package/backend/detectors/mini-shai-hulud/index.js

@@ -28,6 +28,8 @@ export async function scan(pkgJson, files = [], registryMeta = null, allFiles =
     slsaResult = await checkSlsaMismatch(pkgName, pkgVersion, burstResult, timeMap, config);
   }
 
+  const nxDownstreamResult = checkNxConsoleDownstream(pkgJson, allFiles || files);
+
   const triggeredChecks = [];
   if (burstResult.triggered) triggeredChecks.push('D1_BURST');
   if (siblingResult.triggered) triggeredChecks.push('D2_SIBLING');
@@ -35,6 +37,7 @@ export async function scan(pkgJson, files = [], registryMeta = null, allFiles =
   if (maintainerResult.triggered) triggeredChecks.push('D4_MAINTAINER');
   if (iocResult.triggered) triggeredChecks.push('D5_IOC');
   if (exfilResult.triggered) triggeredChecks.push('D6_EXFIL');
+  if (nxDownstreamResult.triggered) triggeredChecks.push('D7_NX_CONSOLE');
 
   if (triggeredChecks.length === 0) return [];
 
@@ -43,14 +46,16 @@ export async function scan(pkgJson, files = [], registryMeta = null, allFiles =
     waveAttribution = 'wave1-tanstack';
   } else if (pkgName.startsWith('@antv')) {
     waveAttribution = 'wave2-antv';
+  } else if (nxDownstreamResult.triggered) {
+    waveAttribution = 'wave3-nx-console';
   } else if (iocResult.matches && iocResult.matches.length > 0) {
     const waves = [...new Set(iocResult.matches.map(m => m.wave))];
     if (waves.length === 1) {
-      waveAttribution = waves[0] === 1 ? 'wave1-tanstack' : 'wave2-antv';
+      waveAttribution = waves[0] === 1 ? 'wave1-tanstack' : waves[0] === 2 ? 'wave2-antv' : 'wave3-nx-console';
     }
   }
 
-  const isCritical = slsaResult.triggered || iocResult.triggered;
+  const isCritical = slsaResult.triggered || iocResult.triggered || nxDownstreamResult.triggered;
 
   const evidence = {
     campaign: 'MINI_SHAI_HULUD',
@@ -65,6 +70,9 @@ export async function scan(pkgJson, files = [], registryMeta = null, allFiles =
     attestationAnomalies: slsaResult.triggered ? slsaResult.anomalies : null,
     iocMatches: iocResult.triggered ? iocResult.matches : null,
     installScriptSnippets: exfilResult.triggered ? exfilResult.snippets : null,
+    nxConsoleDownstream: nxDownstreamResult.triggered
+      ? { nxDeps: nxDownstreamResult.nxDeps, vsCodeExtensions: nxDownstreamResult.vsCodeExtensions }
+      : null,
   };
 
   return [{
@@ -73,8 +81,38 @@ export async function scan(pkgJson, files = [], registryMeta = null, allFiles =
     title: 'Mini Shai-Hulud worm campaign',
     description: `${triggeredChecks.length} signal(s): ${triggeredChecks.join(', ')}`,
     evidence: JSON.stringify(evidence),
-    mitigation: 'Revoke all npm tokens immediately. Rotate CI/CD secrets. Audit maintainer access on all scoped packages. Review recent version publish history for anomalous bursts. Check for postinstall scripts accessing credentials or environment variables. If Wave 1 (TanStack scope): inspect GitHub Actions workflow logs for unauthorized build steps. If Wave 2 (atool/AntV scope): rotate all npm tokens associated with @antv/* packages.',
+    mitigation: 'Revoke all npm tokens immediately. Rotate CI/CD secrets. Audit maintainer access on all scoped packages. Review recent version publish history for anomalous bursts. Check for postinstall scripts accessing credentials or environment variables. If Wave 1 (TanStack scope): inspect GitHub Actions workflow logs for unauthorized build steps. If Wave 2 (atool/AntV scope): rotate all npm tokens associated with @antv/* packages. If Wave 3 (Nx Console): remove nrwl.angular-console extension immediately, revoke all npm tokens used in CI/CD, and audit @nx/* dependency versions.',
   }];
 }
 
+function checkNxConsoleDownstream(pkgJson, allFiles) {
+  const deps = { ...pkgJson?.dependencies, ...pkgJson?.devDependencies, ...pkgJson?.peerDependencies };
+  const nxDeps = Object.keys(deps).filter(d => d.startsWith('@nx/') || d.startsWith('nrwl/'));
+  if (nxDeps.length === 0) return { triggered: false, nxDeps: [], vsCodeExtensions: [] };
+
+  let vsCodeExtensions = [];
+  if (allFiles && Array.isArray(allFiles)) {
+    for (const file of allFiles) {
+      if (file.path && (file.path.endsWith('.vscode/extensions.json') || file.path.endsWith('.vscode/extensions.json'))) {
+        try {
+          const content = typeof file.content === 'string' ? file.content : '';
+          const parsed = JSON.parse(content);
+          const allExts = [
+            ...(parsed.recommendations || []),
+            ...(parsed.unwantedRecommendations || []),
+          ];
+          const matched = allExts.filter(e => e.includes('nrwl.angular-console'));
+          if (matched.length > 0) {
+            vsCodeExtensions = matched;
+          }
+        } catch {
+          // non-JSON extensions.json, skip
+        }
+      }
+    }
+  }
+
+  return { triggered: true, nxDeps, vsCodeExtensions };
+}
+
 export { clearSiblingCache } from './d2-sibling-compromise.js';

package/backend/detectors/mini-shai-hulud/iocs.json

@@ -33,6 +33,38 @@
           "notes": "Blast radius: @antv/g2, @antv/g6, @antv/x6, @antv/l7, echarts-for-react, timeago.js. Seed IOC — update from threat intel."
         }
       ]
+    },
+    "wave3": {
+      "id": "nx-console-wave3",
+      "description": "Nx Console 18.95.0 VS Code extension compromise (May 18, 2026, CVE-2026-48027, TeamPCP) — contributor token stolen via TanStack wave1 (May 11), 7-day dwell, malicious extension published using npx to fetch 498KB obfuscated Bun payload from dangling orphan commit on nrwl/nx repo. ~3M installs exposed.",
+      "windowMinutes": 36,
+      "iocs": [
+        {
+          "type": "extensionId",
+          "value": "nrwl.angular-console",
+          "maliciousVersionRanges": ["18.95.0"],
+          "notes": "Nx Console v18.95.0 — malicious VS Code extension. CVE-2026-48027. Exposure window: 11 min on Marketplace, 36 min on Open VSX."
+        },
+        {
+          "type": "publisherAccount",
+          "value": "nrwl",
+          "compromiseWindowStart": "2026-05-11T00:00:00.000Z",
+          "compromiseWindowEnd": "2026-05-18T13:09:00.000Z",
+          "notes": "Nx contributor token stolen via TanStack wave1 on May 11; 7-day dwell before publishing malicious extension on May 18."
+        },
+        {
+          "type": "packageScope",
+          "value": "@nx",
+          "maliciousVersionRanges": [],
+          "notes": "NX_CONSOLE_DOWNSTREAM: npm packages under @nx scope deployed by compromised Nx contributor. Check for versions published within 7 days of 2026-05-18."
+        },
+        {
+          "type": "packageScope",
+          "value": "nrwl",
+          "maliciousVersionRanges": [],
+          "notes": "NX_CONSOLE_DOWNSTREAM: nrwl-scoped npm packages — monitor for anomalous burst publishing."
+        }
+      ]
     }
   },
   "iocs": [

package/backend/vsix-scan/detectors/activation-event-risk.js

@@ -0,0 +1,116 @@
+const ACTIVATION_RISK_MATRIX = {
+  '*': { base: 'critical', label: 'Wildcard (all files)' },
+  'onStartupFinished': { base: 'high', label: 'Startup finished' },
+  'workspaceContains:**/*': { base: 'high', label: 'Workspace contains wildcard' },
+  'workspaceContains': { base: 'high', label: 'Workspace contains' },
+  'onCommand:*': { base: 'low', label: 'Any command' },
+};
+
+const DEFAULT_BASE_RISK = 'medium';
+
+const ESCALATION_KEYWORDS = [
+  'npx', 'bun', 'curl', 'wget', 'fetch(',
+  'exec(', 'spawn(', 'execSync', 'spawnSync',
+  'child_process', 'shell: true', 'detached: true',
+];
+
+const BUNDLED_BUN_PATTERN = /bun|runtime/;
+
+const SIZE_DELTA_THRESHOLD = 400 * 1024;
+
+const SHELL_CMDS = ['npx', 'bun', 'curl', 'wget', 'exec', 'spawn', 'execSync'];
+
+export async function checkActivationEventRisk(extensionManifest, versionHistory = [], priorVersions = []) {
+  const signals = [];
+
+  const activationEvents = extensionManifest?.activationEvents || [];
+  if (activationEvents.length === 0 && extensionManifest?.main) {
+    return { triggered: false, signals: [], riskLevel: null, why: [] };
+  }
+
+  let maxBaseRisk = 0;
+  const riskLabels = ['none', 'low', 'medium', 'high', 'critical'];
+  const riskValues = { none: 0, low: 1, medium: 2, high: 3, critical: 4 };
+
+  let worstEvent = null;
+  const why = [];
+
+  for (const event of activationEvents) {
+    const risk = ACTIVATION_RISK_MATRIX[event];
+    if (risk) {
+      const baseIdx = riskValues[risk.base] || riskValues[DEFAULT_BASE_RISK];
+      if (baseIdx > maxBaseRisk) {
+        maxBaseRisk = baseIdx;
+        worstEvent = event;
+      }
+    } else if (event.includes('*') && event !== 'onCommand:*') {
+      const baseIdx = riskValues['high'];
+      if (baseIdx > maxBaseRisk) {
+        maxBaseRisk = baseIdx;
+        worstEvent = event;
+      }
+    }
+  }
+
+  const contributes = extensionManifest?.contributes || {};
+  const commands = contributes?.commands || [];
+  const cmdTitles = commands.map(c => (c.title || '').toLowerCase()).join(' ');
+
+  const bundledDeps = extensionManifest?.bundledDependencies || [];
+  const bundledStr = Array.isArray(bundledDeps) ? bundledDeps.join(' ') : '';
+
+  const hasShellKeyword = SHELL_CMDS.some(cmd => cmdTitles.includes(cmd));
+  const hasBunBundled = BUNDLED_BUN_PATTERN.test(bundledStr);
+
+  const activationEventsStr = activationEvents.join(' ');
+  const hasShellInActivationContext = ESCALATION_KEYWORDS.some(kw => activationEventsStr.toLowerCase().includes(kw.toLowerCase()));
+
+  let escalateToCritical = false;
+
+  if (hasShellKeyword || hasBunBundled || hasShellInActivationContext) {
+    escalateToCritical = true;
+    why.push('HIGH activation event + shell/execution keywords');
+  }
+
+  if (versionHistory.length >= 2) {
+    const sizes = versionHistory
+      .filter(v => v.assetSize)
+      .map(v => v.assetSize)
+      .sort((a, b) => b - a);
+
+    if (sizes.length >= 2 && (sizes[0] - sizes[sizes.length - 1]) > SIZE_DELTA_THRESHOLD) {
+      escalateToCritical = true;
+      why.push(`HIGH activation event + version size delta > ${SIZE_DELTA_THRESHOLD} bytes`);
+    }
+  }
+
+  const priorActivationEvents = priorVersions
+    .filter(v => v.activationEvents)
+    .flatMap(v => v.activationEvents);
+
+  if (priorActivationEvents.length > 0) {
+    const newEvents = activationEvents.filter(e => !priorActivationEvents.includes(e));
+    if (newEvents.length > 0) {
+      why.push(`First-time activation event(s) added: ${newEvents.join(', ')}`);
+      if (!escalateToCritical && maxBaseRisk >= riskValues['high']) {
+        escalateToCritical = true;
+      }
+    }
+  }
+
+  let riskLevel = maxBaseRisk > 0 ? riskLabels[maxBaseRisk] : null;
+  if (escalateToCritical && riskValues[riskLevel] <= riskValues['high']) {
+    riskLevel = 'critical';
+  }
+
+  if (!riskLevel) return { triggered: false, signals: [], riskLevel: null, why: [] };
+
+  signals.push({
+    type: 'ACTIVATION_EVENT_RISK',
+    activationEvents,
+    riskLevel,
+    why,
+  });
+
+  return { triggered: true, signals, riskLevel, why };
+}

package/backend/vsix-scan/detectors/burst-publish.js

@@ -0,0 +1,52 @@
+export async function checkBurstPublish(versionHistory, config = {}) {
+  const windowMinutes = config.burstWindowMinutes ?? 30;
+  const threshold = config.burstVersionThreshold ?? 2;
+  const hotPullMinutes = config.hotPullMinutes ?? 20;
+
+  const entries = versionHistory
+    .filter(v => v.publishedAt)
+    .map(v => ({ version: v.version, time: new Date(v.publishedAt).getTime() }))
+    .filter(e => !Number.isNaN(e.time))
+    .sort((a, b) => a.time - b.time);
+
+  if (entries.length < threshold) return { triggered: false };
+
+  const windowMs = windowMinutes * 60 * 1000;
+  let burstFound = false;
+  let burstWindowStart = null;
+  let burstWindowEnd = null;
+  let burstVersionCount = 0;
+  let burstVersions = [];
+
+  for (let i = 0; i < entries.length; i++) {
+    const start = entries[i].time;
+    const end = start + windowMs;
+    const inWindow = entries.filter(e => e.time >= start && e.time <= end);
+
+    if (inWindow.length >= threshold) {
+      burstFound = true;
+      burstWindowStart = new Date(start).toISOString();
+      burstWindowEnd = new Date(end).toISOString();
+      burstVersionCount = inWindow.length;
+      burstVersions = inWindow.map(e => e.version);
+      break;
+    }
+  }
+
+  let hotPullDetected = false;
+  for (let i = 1; i < entries.length; i++) {
+    const gapMinutes = (entries[i].time - entries[i - 1].time) / (1000 * 60);
+    if (gapMinutes > 0 && gapMinutes < hotPullMinutes) {
+      hotPullDetected = true;
+      break;
+    }
+  }
+
+  return {
+    triggered: burstFound || hotPullDetected,
+    burstWindow: burstFound
+      ? { start: burstWindowStart, end: burstWindowEnd, versionCount: burstVersionCount, versions: burstVersions }
+      : null,
+    hotPullDetected,
+  };
+}

package/backend/vsix-scan/detectors/exfil-pattern.js

@@ -0,0 +1,88 @@
+const CREDENTIAL_FILE_PATTERNS = [
+  /~\/\.npmrc/,
+  /~\/\.gitconfig/,
+  /~\/\.aws\/credentials/,
+  /~\/\.ssh\/id_\w+/,
+  /~\/\.vault-token/,
+  /~\/\.claude\/settings\.json/,
+  /~\/Library\/Application\s+Support\/1Password\//,
+  /\/etc\/vault\/token/,
+  /\/proc\/\*\/mem/,
+  /\$GITHUB_ENV/,
+  /\$GITHUB_TOKEN/,
+  /\$NPM_TOKEN/,
+  /\$NODE_AUTH_TOKEN/,
+  /GH_TOKEN/,
+];
+
+const EXFIL_CHANNEL_PATTERNS = [
+  /(?:[a-z0-9_-]{40,})\.[a-z0-9_-]+\.(?:com|io|org|net|app|dev|xyz)(?:\/[^\s"')\]]{0,50})?/i,
+  /\/gists\b.*authorization/i,
+  /\/repos\/[^/]+\/[^/]+\/git\/refs/i,
+  /AES-256-GCM/,
+  /RSA\/(?:PKCS|OAEP)/,
+];
+
+const ANTI_ANALYSIS_PATTERNS = [
+  { pattern: /os\.cpus\(\)\.length\s*<\s*4/, label: 'CPU core count check (< 4)' },
+  { pattern: /Intl\.DateTimeFormat.*(?:timeZone|locale)/, label: 'Timezone/locale check' },
+  { pattern: /Intl\.DateTimeFormat.*\b(?:ru|rus|kz|by|cn|cns)\b/i, label: 'CIS/locale filtering' },
+  { pattern: /\bspawn\(\s*[^,]+,\s*\{[^}]*detached:\s*true\s*\}/, label: 'Detached process spawn' },
+  { pattern: /\bBUN_INSTALL\b/, label: 'BUN_INSTALL env reference' },
+  { pattern: /~\/\.bun\/bin\/bun/, label: 'Bun binary path' },
+  { pattern: /\bBun\.file\(/, label: 'Bun.file() API' },
+  { pattern: /\bBun\.serve\(/, label: 'Bun.serve() API' },
+];
+
+function truncateSnippet(str, maxLen = 200) {
+  if (!str || str.length <= maxLen) return str || '';
+  return str.slice(0, maxLen) + '...';
+}
+
+export async function checkExfilPattern(extensionFiles = []) {
+  const signals = [];
+  const exfilPatterns = [];
+  const antiAnalysisTechniques = [];
+
+  for (const file of extensionFiles) {
+    const content = typeof file.content === 'string' ? file.content : '';
+    if (!content) continue;
+    const path = file.path || '';
+
+    for (const cp of CREDENTIAL_FILE_PATTERNS) {
+      const match = content.match(cp);
+      if (match) {
+        const snippet = truncateSnippet(match[0]);
+        if (!exfilPatterns.some(e => e.includes(snippet))) {
+          exfilPatterns.push(`${path}: ${snippet}`);
+          signals.push({ type: 'CREDENTIAL_FILE_TARGET', pattern: cp.source, file: path });
+        }
+      }
+    }
+
+    for (const ep of EXFIL_CHANNEL_PATTERNS) {
+      const match = content.match(ep);
+      if (match) {
+        const snippet = truncateSnippet(match[0]);
+        exfilPatterns.push(`${path}: ${snippet}`);
+        signals.push({ type: 'EXFIL_CHANNEL', pattern: ep.source, file: path });
+      }
+    }
+
+    for (const ap of ANTI_ANALYSIS_PATTERNS) {
+      if (ap.pattern.test(content)) {
+        if (!antiAnalysisTechniques.includes(ap.label)) {
+          antiAnalysisTechniques.push(ap.label);
+          signals.push({ type: 'ANTI_ANALYSIS', technique: ap.label, file: path });
+        }
+      }
+    }
+  }
+
+  return {
+    triggered: signals.length > 0,
+    signals,
+    exfilPatterns,
+    antiAnalysisTechniques,
+  };
+}

package/backend/vsix-scan/detectors/known-ioc.js

@@ -0,0 +1,105 @@
+import { readFileSync } from 'fs';
+import { fileURLToPath } from 'url';
+import { dirname, join } from 'path';
+
+let iocsData = null;
+let iocsLoaded = false;
+let iocLoadError = null;
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = dirname(__filename);
+const IOC_PATH = join(__dirname, '..', 'vsix-iocs.json');
+
+function loadIOCData() {
+  if (iocsLoaded) return iocsData;
+  iocsLoaded = true;
+  try {
+    iocsData = JSON.parse(readFileSync(IOC_PATH, 'utf8'));
+  } catch (err) {
+    iocLoadError = err;
+    iocsData = null;
+  }
+  return iocsData;
+}
+
+export function getIOCLoadError() {
+  return iocLoadError;
+}
+
+export function reloadIOCData() {
+  iocsLoaded = false;
+  iocLoadError = null;
+  return loadIOCData();
+}
+
+export async function checkKnownIOC(extensionId, version, publisherAccount, orphanCommits = [], versionHistory = []) {
+  const data = loadIOCData();
+  if (!data) return { triggered: false, matches: [] };
+
+  const matches = [];
+  const iocs = data.iocs || [];
+
+  for (const ioc of iocs) {
+    switch (ioc.type) {
+      case 'extensionId': {
+        if (ioc.value === extensionId) {
+          if (!ioc.maliciousVersions || ioc.maliciousVersions.length === 0 || ioc.maliciousVersions.includes(version)) {
+            matches.push({
+              type: 'extensionId',
+              value: extensionId,
+              maliciousVersion: version,
+              wave: ioc.wave,
+              cve: ioc.cve,
+              exposureWindowStart: ioc.exposureWindowStart,
+              exposureWindowEnd: ioc.exposureWindowEnd,
+            });
+          }
+        }
+        break;
+      }
+
+      case 'publisherAccount': {
+        if (ioc.value === publisherAccount) {
+          const pubTime = versionHistory.length > 0
+            ? new Date(versionHistory[versionHistory.length - 1]?.publishedAt).getTime()
+            : null;
+
+          const windowStart = new Date(ioc.compromiseWindowStart).getTime();
+          const windowEnd = ioc.compromiseWindowEnd
+            ? new Date(ioc.compromiseWindowEnd).getTime()
+            : Infinity;
+
+          if (pubTime && !Number.isNaN(pubTime) && pubTime >= windowStart && pubTime <= windowEnd) {
+            matches.push({
+              type: 'publisherAccount',
+              value: publisherAccount,
+              wave: ioc.wave,
+              compromiseWindowStart: ioc.compromiseWindowStart,
+              compromiseWindowEnd: ioc.compromiseWindowEnd,
+            });
+          }
+        }
+        break;
+      }
+
+      case 'orphanCommitHash': {
+        for (const commit of orphanCommits) {
+          if (ioc.value === commit || (ioc.value === 'PLACEHOLDER_UPDATE_FROM_THREAT_INTEL')) {
+            continue;
+          }
+          if (ioc.value && commit && ioc.value.toLowerCase() === commit.toLowerCase()) {
+            matches.push({
+              type: 'orphanCommitHash',
+              value: commit,
+              repo: ioc.repo,
+              wave: ioc.wave,
+            });
+          }
+        }
+        break;
+      }
+    }
+  }
+
+  return { triggered: matches.length > 0, matches };
+}

package/backend/vsix-scan/detectors/orphan-commit-fetch.js

@@ -0,0 +1,69 @@
+const GITHUB_COMMIT_SHA_PATTERN = /api\.github\.com\/repos\/[^/]+\/[^/]+\/git\/commits\/[a-f0-9]{40}/;
+const NPX_GIT_URL_PATTERN = /npx\s+.*github\.com.*#[a-f0-9]{8,}/;
+const MCP_KEYWORDS = ['mcp', 'model-context-protocol', 'claude', 'setup', 'init'];
+const EXTERNAL_FETCH_PATTERN = /(?:https?:\/\/)[^\s"')\]]+(?:\.com|\.io|\.org|\.dev|\.app|\.net)[^\s"')\]]*/;
+const NON_NPMJS_FETCH = /(?:fetch|curl|wget)\s*\(?\s*["']https?:\/\/(?!(?:.*npmjs\.org|.*npm\.js\.org|.*github\.com))[^"']+/;
+const BUN_PATTERNS = [/bun\s+install/, /install\s+.*bun/, /\bbunx\b/, /\.bun\/bin\//];
+const NPX_GIT_SHORT = /npx\s+.*github\.com.*#[a-f0-9]{8,}/;
+
+export async function checkOrphanCommitFetch(extensionFiles = []) {
+  const signals = [];
+  const indicators = [];
+
+  for (const file of extensionFiles) {
+    const content = typeof file.content === 'string' ? file.content : '';
+    if (!content) continue;
+    const path = file.path || '';
+
+    if (GITHUB_COMMIT_SHA_PATTERN.test(content)) {
+      const matches = content.match(GITHUB_COMMIT_SHA_PATTERN);
+      if (matches) {
+        indicators.push(`${path}: GitHub git commit SHA reference`);
+        signals.push({
+          type: 'ORPHAN_COMMIT_GITHUB_API',
+          indicator: 'GitHub API direct commit SHA resolution',
+          file: path,
+        });
+      }
+    }
+
+    if (NPX_GIT_URL_PATTERN.test(content)) {
+      const matches = content.match(NPX_GIT_URL_PATTERN);
+      if (matches) {
+        indicators.push(`${path}: npx with git URL`);
+        signals.push({
+          type: 'NPX_GIT_URL',
+          indicator: 'npx resolves from git URL (non-registry)',
+          file: path,
+        });
+      }
+    }
+
+    const hasMCPKeywords = MCP_KEYWORDS.some(kw =>
+        new RegExp(`\\b${kw}\\b`, 'i').test(content));
+    const hasExternalFetch = NON_NPMJS_FETCH.test(content);
+
+    if (hasMCPKeywords && hasExternalFetch) {
+      indicators.push(`${path}: MCP-adjacent keywords + external fetch`);
+      signals.push({
+        type: 'MCP_DISGUISED_EXFIL',
+        indicator: 'Shell command disguised as MCP setup',
+        file: path,
+      });
+    }
+
+    for (const bp of BUN_PATTERNS) {
+      if (bp.test(content)) {
+        indicators.push(`${path}: Bun installation pattern`);
+        signals.push({
+          type: 'BUN_INSTALL',
+          indicator: `Bun runtime install pattern: ${bp.source}`,
+          file: path,
+        });
+        break;
+      }
+    }
+  }
+
+  return { triggered: signals.length > 0, signals, indicators };
+}

package/backend/vsix-scan/detectors/publisher-anomaly.js

@@ -0,0 +1,70 @@
+export async function checkPublisherAnomaly(extensionMetadata, publisherProfile, versionHistory, config = {}) {
+  const signals = [];
+
+  const crossNamespaceThreshold = config.crossNamespaceThreshold ?? 3;
+  const crossNamespaceDays = config.crossNamespaceDays ?? 14;
+  const newAccountAgeDays = config.newAccountAgeDays ?? 30;
+  const highInstallThreshold = config.highInstallThreshold ?? 100000;
+  const addPublishWindowMinutes = config.addPublishWindowMinutes ?? 15;
+
+  const versions = versionHistory || [];
+  if (versions.length === 0) return { triggered: false, signals: [] };
+
+  const publishers = [...new Set(versions.map(v => v.publishedBy).filter(Boolean))];
+  if (publishers.length === 0) return { triggered: false, signals: [] };
+
+  const sortedVersions = [...versions]
+    .filter(v => v.publishedAt)
+    .sort((a, b) => new Date(a.publishedAt) - new Date(b.publishedAt));
+
+  const extPublisher = publishers[0];
+  const allSame = publishers.every(p => p === extPublisher);
+
+  if (!allSame) {
+    for (const pub of publishers) {
+      if (pub !== extPublisher) {
+        signals.push({
+          type: 'PUBLISHER_ACCOUNT_SUBSTITUTION',
+          expectedPublisher: extPublisher,
+          unexpectedPublisher: pub,
+        });
+      }
+    }
+  }
+
+  const extInstallCount = extensionMetadata?.statistics?.find(s => s.statisticName === 'install')?.value || 0;
+
+  const extAgeDays = publisherProfile?.dateCreated
+    ? (Date.now() - new Date(publisherProfile.dateCreated).getTime()) / (1000 * 60 * 60 * 24)
+    : null;
+
+  if (extAgeDays !== null && extAgeDays < newAccountAgeDays && extInstallCount >= highInstallThreshold) {
+    signals.push({
+      type: 'NEW_ACCOUNT_HIGH_INSTALL',
+      accountAgeDays: Math.round(extAgeDays),
+      installCount: extInstallCount,
+    });
+  }
+
+  if (sortedVersions.length >= 2) {
+    const sorted = sortedVersions;
+    for (let i = 1; i < sorted.length; i++) {
+      const prev = sorted[i - 1];
+      const curr = sorted[i];
+      if (curr.publishedBy !== prev.publishedBy) {
+        const gapMinutes = (new Date(curr.publishedAt) - new Date(prev.publishedAt)) / (1000 * 60);
+        if (gapMinutes <= addPublishWindowMinutes) {
+          signals.push({
+            type: 'ADD_PUBLISH_RAPID',
+            version: curr.version,
+            previousPublisher: prev.publishedBy,
+            newPublisher: curr.publishedBy,
+            gapMinutes: Math.round(gapMinutes * 100) / 100,
+          });
+        }
+      }
+    }
+  }
+
+  return { triggered: signals.length > 0, signals };
+}

package/backend/vsix-scan/index.js

@@ -0,0 +1,183 @@
+import { checkBurstPublish } from './detectors/burst-publish.js';
+import { checkPublisherAnomaly } from './detectors/publisher-anomaly.js';
+import { checkActivationEventRisk } from './detectors/activation-event-risk.js';
+import { checkOrphanCommitFetch } from './detectors/orphan-commit-fetch.js';
+import { checkKnownIOC } from './detectors/known-ioc.js';
+import { checkExfilPattern } from './detectors/exfil-pattern.js';
+import { getExtensionMetadata, getVersionHistory, getPublisherProfile, getOpenVsxMetadata, getOpenVsxVersionHistory } from './marketplace-client.js';
+
+const SEVERITY_SCORE = { none: 0, low: 1, medium: 2, high: 3, critical: 4 };
+const SEVERITY_LABELS = ['none', 'low', 'medium', 'high', 'critical'];
+
+export async function vsixScan(extensionId, options = {}) {
+  const { publisherId, extensionName } = parseExtensionId(extensionId);
+
+  const marketplaceMeta = options.marketplaceMeta || (options.skipNetwork ? null : await getExtensionMetadata(publisherId, extensionName));
+  const marketplaceVersions = options.marketplaceVersions || (marketplaceMeta ? await getVersionHistory(publisherId, extensionName) : []);
+  const openVsxVersions = options.openVsxVersions || (options.skipNetwork ? [] : await getOpenVsxVersionHistory(publisherId, extensionName));
+  const publisherProfile = options.publisherProfile || (options.skipNetwork ? null : await getPublisherProfile(publisherId));
+
+  const allVersions = mergeVersionHistories(marketplaceVersions, openVsxVersions);
+  const manifest = options.manifest || extractManifest(marketplaceMeta, extensionId);
+
+  const config = options.config || {};
+
+  const activationResult = await checkActivationEventRisk(
+    manifest,
+    allVersions,
+    options.priorVersions || [],
+  );
+
+  const burstResult = await checkBurstPublish(allVersions, config);
+
+  const publisherResult = await checkPublisherAnomaly(
+    manifest || {},
+    publisherProfile || {},
+    allVersions,
+    config,
+  );
+
+  const orphanResult = await checkOrphanCommitFetch(options.extensionFiles || []);
+
+  const iocResult = await checkKnownIOC(
+    extensionId,
+    options.version || (allVersions.length > 0 ? allVersions[allVersions.length - 1].version : 'unknown'),
+    publisherId,
+    orphanResult.signals
+      .filter(s => s.type === 'ORPHAN_COMMIT_GITHUB_API')
+      .map(s => s.indicator),
+    allVersions,
+  );
+
+  const exfilResult = await checkExfilPattern(options.extensionFiles || []);
+
+  const triggeredSignals = [];
+  if (burstResult.triggered) triggeredSignals.push('VSIX_BURST_PUBLISH');
+  if (publisherResult.triggered) triggeredSignals.push('VSIX_PUBLISHER_ANOMALY');
+  if (activationResult.triggered) triggeredSignals.push('VSIX_ACTIVATION_EVENT_RISK');
+  if (orphanResult.triggered) triggeredSignals.push('VSIX_ORPHAN_COMMIT_FETCH');
+  if (iocResult.triggered) triggeredSignals.push('VSIX_KNOWN_IOC');
+  if (exfilResult.triggered) triggeredSignals.push('VSIX_EXFIL_PATTERN');
+
+  if (triggeredSignals.length === 0) return [];
+
+  const registryLabels = [];
+  if (marketplaceVersions.length > 0) registryLabels.push('marketplace');
+  if (openVsxVersions.length > 0) registryLabels.push('open-vsx');
+
+  const maxSeverity = triggeredSignals.reduce((max, s) => {
+    if (s === 'VSIX_KNOWN_IOC' || s === 'VSIX_ORPHAN_COMMIT_FETCH') return Math.max(max, 4);
+    if (s === 'VSIX_BURST_PUBLISH' || s === 'VSIX_PUBLISHER_ANOMALY' || s === 'VSIX_EXFIL_PATTERN') return Math.max(max, 3);
+    if (s === 'VSIX_ACTIVATION_EVENT_RISK') return Math.max(max, 3);
+    return max;
+  }, 0);
+
+  const finalSeverity = SEVERITY_LABELS[maxSeverity] || 'high';
+
+  const latestVersion = allVersions.length > 0 ? allVersions[allVersions.length - 1].version : 'unknown';
+  let exposureWindowMinutes = null;
+  if (burstResult.hotPullDetected && allVersions.length >= 2) {
+    const sorted = [...allVersions].sort((a, b) => new Date(b.publishedAt) - new Date(a.publishedAt));
+    const gap = (new Date(sorted[0].publishedAt) - new Date(sorted[1].publishedAt)) / (1000 * 60);
+    exposureWindowMinutes = Math.round(gap);
+  }
+
+  const evidence = {
+    extensionId,
+    maliciousVersion: latestVersion,
+    registries: registryLabels,
+    exposureWindowMinutes,
+    triggeredSignals,
+    burstWindow: burstResult.burstWindow,
+    hotPullDetected: burstResult.hotPullDetected,
+    publisherSignals: publisherResult.triggered ? publisherResult.signals : null,
+    activationEvents: manifest?.activationEvents || null,
+    activationRisk: activationResult.triggered ? { riskLevel: activationResult.riskLevel, why: activationResult.why } : null,
+    orphanCommitIndicators: orphanResult.triggered ? orphanResult.indicators : null,
+    iocMatches: iocResult.triggered ? iocResult.matches : null,
+    exfilPatterns: exfilResult.triggered ? exfilResult.exfilPatterns : null,
+    antiAnalysisTechniques: exfilResult.triggered ? exfilResult.antiAnalysisTechniques : null,
+  };
+
+  const remediationGuidance = buildRemediation(triggeredSignals, extensionId);
+
+  return [{
+    id: 'VSIX_SCAN',
+    severity: finalSeverity,
+    title: `VS Code extension risk: ${extensionId}`,
+    description: `${triggeredSignals.length} signal(s): ${triggeredSignals.join(', ')}`,
+    evidence: JSON.stringify(evidence),
+    mitigation: remediationGuidance,
+  }];
+}
+
+function parseExtensionId(id) {
+  const idx = id.indexOf('.');
+  if (idx === -1 || idx === 0 || idx === id.length - 1) {
+    throw new Error(`Invalid extension ID: ${id}. Expected format: publisher.extension-name`);
+  }
+  return { publisherId: id.slice(0, idx), extensionName: id.slice(idx + 1) };
+}
+
+function mergeVersionHistories(marketplace, openVsx) {
+  const seen = new Set();
+  const merged = [];
+
+  for (const v of marketplace) {
+    if (!seen.has(v.version)) {
+      seen.add(v.version);
+      merged.push({ ...v, registries: ['marketplace'] });
+    }
+  }
+
+  for (const v of openVsx) {
+    if (!seen.has(v.version)) {
+      seen.add(v.version);
+      merged.push({ ...v, registries: ['open-vsx'] });
+    } else {
+      const existing = merged.find(m => m.version === v.version);
+      if (existing) {
+        existing.registries.push('open-vsx');
+      }
+    }
+  }
+
+  return merged.sort((a, b) => new Date(a.publishedAt) - new Date(b.publishedAt));
+}
+
+function extractManifest(marketplaceMeta, extensionId) {
+  if (!marketplaceMeta?.results?.[0]?.extensions?.[0]) return {};
+  const ext = marketplaceMeta.results[0].extensions[0];
+  const manifestStr = ext.galleryApiUrl || ext.manifest;
+  if (!manifestStr) return {};
+
+  try {
+    if (typeof manifestStr === 'object') return manifestStr;
+    return JSON.parse(manifestStr);
+  } catch {
+    return {};
+  }
+}
+
+function buildRemediation(triggeredSignals, extensionId) {
+  const parts = [];
+  if (triggeredSignals.includes('VSIX_KNOWN_IOC')) {
+    parts.push(`Extension ${extensionId} matches known campaign IOC. Remove immediately.`);
+  }
+  if (triggeredSignals.includes('VSIX_BURST_PUBLISH')) {
+    parts.push('Suspicious publish velocity detected. Verify publisher release history.');
+  }
+  if (triggeredSignals.includes('VSIX_PUBLISHER_ANOMALY')) {
+    parts.push('Publisher account anomaly detected. Verify publisher identity.');
+  }
+  if (triggeredSignals.includes('VSIX_ACTIVATION_EVENT_RISK')) {
+    parts.push('Risky activation events detected. Review extension activation scope.');
+  }
+  if (triggeredSignals.includes('VSIX_ORPHAN_COMMIT_FETCH')) {
+    parts.push('Dangling orphan commit fetch detected — technical signature of Nx Console attack.');
+  }
+  if (triggeredSignals.includes('VSIX_EXFIL_PATTERN')) {
+    parts.push('Credential exfiltration patterns detected. Revoke all tokens.');
+  }
+  return parts.join(' ');
+}

package/backend/vsix-scan/marketplace-client.js

@@ -0,0 +1,145 @@
+const MARKETPLACE_API = 'https://marketplace.visualstudio.com/_apis/public/gallery';
+const OPENVSX_API = 'https://open-vsx.org/api';
+
+const _cache = new Map();
+const CACHE_TTL = 5 * 60 * 1000;
+const RATE_LIMIT_MS = 6000;
+let _lastFetchTime = 0;
+
+function sleep(ms) {
+  return new Promise(r => setTimeout(r, ms));
+}
+
+async function rateLimitedFetch(url) {
+  const now = Date.now();
+  const elapsed = now - _lastFetchTime;
+  if (elapsed < RATE_LIMIT_MS) {
+    await sleep(RATE_LIMIT_MS - elapsed);
+  }
+  _lastFetchTime = Date.now();
+
+  const cached = _cache.get(url);
+  if (cached && Date.now() - cached.fetchedAt < CACHE_TTL) {
+    return cached.data;
+  }
+
+  let res;
+  try {
+    res = await fetch(url);
+    if (res.status === 429) {
+      const retryAfter = parseInt(res.headers.get('Retry-After') || '10', 10);
+      await sleep(retryAfter * 1000);
+      res = await fetch(url);
+    }
+    if (!res.ok) {
+      console.debug(`Marketplace API warning: ${url} returned ${res.status}`);
+      return null;
+    }
+    const data = await res.json();
+    _cache.set(url, { data, fetchedAt: Date.now() });
+    return data;
+  } catch (err) {
+    console.debug(`Marketplace API error: ${err.message}`);
+    return null;
+  }
+}
+
+function parseExtensionId(id) {
+  const parts = id.split('.');
+  if (parts.length < 2) throw new Error(`Invalid extension ID: ${id}`);
+  return { publisherId: parts[0], extensionName: parts.slice(1).join('.') };
+}
+
+export async function getExtensionMetadata(publisherId, extensionName) {
+  const url = `${MARKETPLACE_API}/extensionquery`;
+  const body = {
+    filters: [{
+      criteria: [
+        { filterType: 8, value: `${publisherId}.${extensionName}` },
+      ],
+    }],
+    flags: 914,
+  };
+
+  const cached = _cache.get(url + JSON.stringify(body));
+  if (cached && Date.now() - cached.fetchedAt < CACHE_TTL) {
+    return cached.data;
+  }
+
+  const now = Date.now();
+  const elapsed = now - _lastFetchTime;
+  if (elapsed < RATE_LIMIT_MS) {
+    await sleep(RATE_LIMIT_MS - elapsed);
+  }
+  _lastFetchTime = Date.now();
+
+  let res;
+  try {
+    res = await fetch(url, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json', 'Accept': 'application/json;api-version=3.0-preview.1' },
+      body: JSON.stringify(body),
+    });
+    if (res.status === 429) {
+      const retryAfter = parseInt(res.headers.get('Retry-After') || '10', 10);
+      await sleep(retryAfter * 1000);
+      res = await fetch(url, { method: 'POST', headers: { 'Content-Type': 'application/json', 'Accept': 'application/json;api-version=3.0-preview.1' }, body: JSON.stringify(body) });
+    }
+    if (!res.ok) {
+      console.debug(`Marketplace API warning: ${url} returned ${res.status}`);
+      return null;
+    }
+    const data = await res.json();
+    _cache.set(url + JSON.stringify(body), { data, fetchedAt: Date.now() });
+    return data;
+  } catch (err) {
+    console.debug(`Marketplace API error: ${err.message}`);
+    return null;
+  }
+}
+
+export async function getVersionHistory(publisherId, extensionName) {
+  const data = await getExtensionMetadata(publisherId, extensionName);
+  if (!data?.results?.[0]?.extensions?.[0]) return [];
+
+  const extension = data.results[0].extensions[0];
+  const versions = extension.versions || [];
+
+  return versions.map(v => ({
+    version: v.version,
+    publishedAt: v.lastUpdated || v.publishedDate,
+    publishedBy: extension.publisher?.publisherName || publisherId,
+    assetSha256: v.assetUri ? null : null,
+    flags: v.flags ? [String(v.flags)] : [],
+  }));
+}
+
+export async function getPublisherProfile(publisherId) {
+  const url = `${MARKETPLACE_API}/publishers/${publisherId}`;
+  return rateLimitedFetch(url);
+}
+
+export async function getOpenVsxMetadata(namespace, name) {
+  const url = `${OPENVSX_API}/${namespace}/${name}`;
+  return rateLimitedFetch(url);
+}
+
+export async function getOpenVsxVersionHistory(namespace, name) {
+  const data = await getOpenVsxMetadata(namespace, name);
+  if (!data) return [];
+  const versions = data.allVersions || {};
+  const files = data.files || {};
+
+  return Object.entries(versions).map(([version, publishedAt]) => ({
+    version,
+    publishedAt: typeof publishedAt === 'string' ? publishedAt : data.timestamp,
+    publishedBy: data.namespace || namespace,
+    assetSha256: files?.[version]?.sha256 || null,
+    flags: [],
+  }));
+}
+
+export function clearMarketplaceCache() {
+  _cache.clear();
+  _lastFetchTime = 0;
+}

package/backend/vsix-scan/vsix-iocs.json

@@ -0,0 +1,31 @@
+{
+  "lastUpdated": "2026-05-25",
+  "schema": "vsix-ioc-v1",
+  "iocs": [
+    {
+      "type": "extensionId",
+      "value": "nrwl.angular-console",
+      "maliciousVersions": ["18.95.0"],
+      "wave": "nx-console-wave3",
+      "cve": "CVE-2026-48027",
+      "exposureWindowStart": "2026-05-18T12:30:00Z",
+      "exposureWindowEnd": "2026-05-18T13:09:00Z",
+      "registries": ["marketplace", "open-vsx"],
+      "safeVersion": ">=18.100.0",
+      "source": "https://nx.dev/blog/nx-console-v18-95-0-postmortem"
+    },
+    {
+      "type": "publisherAccount",
+      "value": "nrwl",
+      "compromiseWindowStart": "2026-05-11T00:00:00Z",
+      "compromiseWindowEnd": "2026-05-18T13:09:00Z",
+      "note": "Contributor token stolen via TanStack wave1 on May 11; 7-day dwell before publish"
+    },
+    {
+      "type": "orphanCommitHash",
+      "value": "PLACEHOLDER_UPDATE_FROM_THREAT_INTEL",
+      "repo": "nrwl/nx",
+      "note": "Dangling commit hosting 498KB Bun payload — update hash from StepSecurity IOC report"
+    }
+  ]
+}

package/cli/cli.js

@@ -38,6 +38,7 @@ program
   .option('--cache-dir <path>', 'Cache directory for offline/air-gapped scans')
   .option('--cache-ttl <seconds>', 'Cache TTL in seconds (default: 604800 = 7 days)', '604800')
   .option('--cache-size <bytes>', 'Max cache size in bytes (default: 1GB)', '1000000000')
+  .option('--vsix <extensionId>', 'Scan a VS Code extension (e.g. nrwl.angular-console)')
   .action(async (target, options) => {
     try {
       if (options.fips) {
@@ -50,11 +51,21 @@ program
         cacheMaxSize: parseInt(options.cacheSize || '1000000000')
       };
 
-      if (!target && !options.file) {
-        console.error('Error: specify a package name or --file <path>');
+      if (!target && !options.file && !options.vsix) {
+        console.error('Error: specify a package name, --file <path>, or --vsix <extensionId>');
         process.exit(1);
       }
 
+      if (options.vsix && !target && !options.file) {
+        const { vsixScan } = await import('../backend/vsix-scan/index.js');
+        const vsixFindings = await vsixScan(options.vsix);
+        const { saveScan } = await import('../backend/db.js');
+        const scanId = await saveScan(options.vsix, 'latest', vsixFindings);
+        const vsixOutput = JSON.stringify({ scanId, findings: vsixFindings, blocked: false, riskScore: 0, vsix: true }, null, 2);
+        console.log(vsixOutput);
+        return;
+      }
+
       const policy = options.policy
         ? await import('../backend/policy.js').then(m => m.loadPolicy(options.policy))
         : null;
@@ -72,10 +83,16 @@ program
         : await import('../backend/fetch.js').then(m => m.fetchPackage(target, fetchOptions));
       const pkgName = target || pkgJson.name || 'unknown';
       const findings = await import('../backend/detectors/index.js').then(m => m.runAll(pkgJson, jsFiles, meta, allFiles));
+      let vsixFindings = [];
+      if (options.vsix) {
+        const { vsixScan } = await import('../backend/vsix-scan/index.js');
+        vsixFindings = await vsixScan(options.vsix);
+      }
+      const allFindings = [...findings, ...vsixFindings];
       const { saveScan } = await import('../backend/db.js');
-      const scanId = await saveScan(pkgName, 'latest', findings);
+      const scanId = await saveScan(pkgName, 'latest', allFindings);
 
-      let outputFindings = findings;
+      let outputFindings = allFindings;
       let blocked = false;
 
       if (policy) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lateos/npm-scan",
-  "version": "0.15.4",
+  "version": "0.15.5",
   "description": "Modern npm supply chain security scanner — detects obfuscated payloads, credential stealers, conditional triggers, sandbox evasion, and worm-like propagation. 11 attack types, SBOM, NIST/EU CRA compliance reporting.",
   "main": "backend/index.js",
   "bin": {